Hello Tim,
hi all,
we do use Juniper EX3200 Switches here and I would like to discuss a security
issue in your example conf for Juniper in the documentation referenced by your
posting below:

your doc suggests the option „mac radius“ to be activated. I would rather NOT
suggest that, because:
MAC Authentication is subject to spoofing attacks, which one exactly wants to
get rid of by using 802.1x.
It is exactly the wrong way to activate the mac radius option, as in this case
a juniper switch would use simple mac radius as a fallback, if 802.1x would
fail, which is exactly what you would NOT want to have, if you want to be sure
NOT to be vulnerable to mac spoofing attacks.
So is there a reason you suggest that option for i didn get?
Bye,
Holger
PS:
A additional personal hint: using interface ranges in the „protocols / dot1x /
interface“ config did not work with our switches, we had to explicitly name the
interfaces there.
Von: Timothy Mullican via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net]
Gesendet: Donnerstag, 1. Februar 2018 18:11
An: packetfence-users@lists.sourceforge.net
Cc: Timothy Mullican <tjmullic...@yahoo.com>; Frederic Hermann
<frederic.herm...@neptune.fr>
Betreff: Re: [PacketFence-users] Packetfence RADIUS and Unifi Out of Band
By the way,
Fabrice Durand already added code to do this in pull request #2735 on github.
See
https://patch-diff.githubusercontent.com/raw/inverse-inc/packetfence/pull/2735.patch
You can apply that patch to get it working. Also see
https://github.com/inverse-inc/packetfence/blob/ae18f50b4879cc2d4132490fcee33f2fbe53b36f/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc
for the updated documentation. You can read though my earlier thread to see
the steps I took to get it working.
Tim
Sent from mobile phone
On Feb 1, 2018, at 10:15, David Harvey via PacketFence-users
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
wrote:
This has been a fantastic resource for the thread I recently started (sorry for
the repetition in it)
I would add:
I've added kick-sta to replace both the authorize and unauthorize guest
commands in Unifi.pm
It transpired my in house cert was upsetting things until I updated ca certs on
the debian container I'm using. The symptom was the following in
packetfence.log:
before:
Can't login on the Unifi controller: 500 Can't connect to
10.100.103.33:8443<http://10.100.103.33:8443> (certificate verify failed)
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
after:
Switched status on the Unifi controller using command kick-sta
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)
After this the kick events come through and I get a brief drop in packets
whilst pinging. I'm still fighting the final issue - which is increasing the
duration of the kick, or ensuring a full re-auth occurs, as currently the
device I'm testing with drops packets, but remains on the same VLAN still until
the device is toggled.
Thanks for the guidance and let me know if you face/overcame anything similar.
Cheers,
David
On Mon, Jul 17, 2017 at 3:54 PM, Frederic Hermann via PacketFence-users
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
wrote:
> De: "Michael Westergaard via PacketFence-users"
> <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
Hi Michael,
> I am trying to see if Packetfence is a proper way to do NAC with Unifi UAP-AC
> with dynamic VLAN. According to the new Unifi Controller 5.5.19 release,
> Dynamic Wireless VLAN with RADIUS is now out of beta which Packetfence is
> using
> for authenticating users over wireless and then changing the VLAN.
> However I cannot find any documentation anywhere if this is possible in
> Packetfence Documentation?
> Especially Packetfence Out of Band (Dynamic VLAN) with Unifi. Have anybody
> been
> able to make it work?
We made some test a few weeks ago, and we've been able to manage an Unifi
controler using Radius mode ( rather than the Portal mode described in
PacketFence documentation).
This allow you to use dynamic VLAN with WPA2-Enterprise, as it seems that
dynamic VLAN are only available in secure mode on unifi.
The only change we had to do (on the packetfence side) was
That means you have to configure your AP type as "Unifi Controller" in
packetfence, and set the Deauth method to "HTTPS", instead of Radius.
Of course you will also define the unifi controller IP in the same location.
Then you will have to edit (or override) the Unifi.pm module to change the
webservice command used to auth/deauth users : this is in the
"_deauthenticateMacWithHTTP" method, and you should use the "kick-sta" unifi
command through the webservice, instead of the
"authorize-guest/unauthorise-guest".
Hope this help,
Regards
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org<http://Slashdot.org>! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org<http://Slashdot.org>! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot